Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 07:11

General

  • Target

    9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe

  • Size

    2.6MB

  • MD5

    9218265fb231290964c8f92d64cf2f50

  • SHA1

    f521242e65fd3250e3ae999b05f831b53e593838

  • SHA256

    efdbbfd33878cec186fd94c28f219be1af51df0db664e3c290e7545f77b33c9e

  • SHA512

    ac501c8265c6df08fa7a4f45444d06f798350f3a6de35442dbcb84b00047ca53f17c703ac39fc9ab5714871ec3e0e04bdb1223eeeb88301f59e7ec5e8603373e

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LB1B/bS:sxX7QnxrloE5dpUpeb

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\9218265fb231290964c8f92d64cf2f50_NeikiAnalytics.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2204
    • C:\FilesHE\xdobsys.exe
      C:\FilesHE\xdobsys.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\FilesHE\xdobsys.exe

    Filesize

    2.6MB

    MD5

    3af6c98cde4ad21d6decbf70eb30936b

    SHA1

    1b0135ad6a26a7a765e13888afdc568f1771ff0c

    SHA256

    917da62a00fbddd515e1e38c159e3004390807ba8d00ded61e36e52e6d58878c

    SHA512

    dbfe93c53f45cad57d916787a7730efda67c838b4888a1b5f118d82c80cd28f9e3fa56f59bdb26a22cef3828a0a693c11b559b9c647677672deee254220ac989

  • C:\LabZSD\dobxsys.exe

    Filesize

    2.6MB

    MD5

    dda011c7fcfa573da1bd6921cd6d1783

    SHA1

    7432d2803ba1db78287b9b90eacdd800cb8a256e

    SHA256

    6bd62d8c0857bd53bae90684dc830c243ed5d43f21534dcee414f790e1d7e72c

    SHA512

    ab7d5e7765f7f9f55919d835163cfc190fe85c7bf34e202e0976ae5d1e28652432029a19b8dd5548bfdee16acab20f99d932b4dc33e59ac4a152927abe02759c

  • C:\LabZSD\dobxsys.exe

    Filesize

    27KB

    MD5

    9066f9da2f6e14f558228b695e72cbf2

    SHA1

    91038a2a5cdbee686253b1163db1462b67afdc3e

    SHA256

    afcec9da3d6ab02251f8cfb55fdbb99d8a48092388bebeb354a5ecbedcca04c4

    SHA512

    41a27889d2f9e9fe12ceb02ebb86a9a7b9be8a9c8b34ddf510ffdc5876880d78e33cc31be4832bd57fa4af876e75459907f209f89f94d42328c4aa001f56117d

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    171B

    MD5

    0e0023155685f24775b075491b8a142c

    SHA1

    0c504c627013fdbb406bb9b3900cd580aa7282f4

    SHA256

    884f606c8d089a07250b090097eaa195d77ae286a8a28192cc2edb85e7338dd1

    SHA512

    860740fb9d0d61f4690f77fbadf15b880000a6ab721c6ea07d6533cb2003c6bc5501deb4ddfa41b92a7a281b9b4651a401db6905226e65e7544f6dc69e2ff845

  • C:\Users\Admin\253086396416_6.1_Admin.ini

    Filesize

    203B

    MD5

    c73491ecb6955ef78e3649e30046eee7

    SHA1

    abd61f8cec8deba33164bd7250e21f2b11d2b991

    SHA256

    c95fe04a2d15fd3b6620f720a2c51cb3a4114372c933921dcedf3915c8f94dc6

    SHA512

    b2056c7c8a37c9d9aafe0767fe7cd0def0ec7a1164ea60a5c11dcf8b3fba40251e71374353d8638f00c404b97ab989108b3b87c629a1355f2b820e5945ee7980

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevopti.exe

    Filesize

    2.6MB

    MD5

    03a4f5e48d6a555bad1a7630ab10d4b9

    SHA1

    eee4f3c636ca33b71916bc31ae863c1ca656c7c1

    SHA256

    60b002858983e8c8e3f087a047025fd5f30a39683728ce0952c11084ac59816e

    SHA512

    1d431585d80b88b2f3731e8d61658607c9075d336864571ec2c749b59960227243862912c238657dda7debd99520f7ec3d5ca043f14a7879609341aebeeec024